TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA s Data Protection Officer International Contracts Rulebook
The rise of big data has immensely changed our lives and will continue to do so for the coming decades. With the explosion of available information and the technology to process vast amounts of data we see public opinion and governments getting to grips with the new world. And because information can be as dangerous as it can be helpful, privacy protection has never been so relevant as it is now. In reaction, the European Commission has made a clear stance with the General Data Protection Regulation. One set of rules to protect every European citizen that has serious consequences for all organisations. A lot has been written about it and many summaries have been made, but we experienced most parties have little notion on how to become GDPR compliant. Therefore, Adversitement made a pragmatic twelve step plan to help organisations prepare for the General Data Protection Regulation. 1. AWARENESS The General Data Protection Regulation is a big one, it will have a serious impact on your organization. Because information flows everywhere, it will reach far beyond the boundaries of the legal department. All stakeholders and decision makers in your organization need to be made aware of all new regulatory demands. These key figures need to assess the consequences of the General Data Protection Regulation on specific parts of the organization and decide on the next best actions. Expect a substantial impact on resources to become compliant and make effective use of the limited time until May 2018 when the law will become fully enforceable. 2. DATA STREAM MAP Not knowing what s going on isn t an option anymore. Start by building a Data Stream Map and document all (personal) data processed within your Data Infrastructure. The information audit will result in a good overview and provide the necessary legal documentation required by the authorities. This is not solely HR or CRM related; do not forget your digital channels and digital marketing tools! We advise using our Data Life Cycle as a guide to ask the right questions about how data streams through your organization (see appendix 1). 3. COMMUNICATION Transparency is no longer a luxury. With the General Data Protection Regulation you re obligated to provide information on all your data processing. This needs to be communicated in a clear and understandable way. Every data subject must be able to understand why you re using their personal data. Use your Data Stream Map to update your privacy statement with all data streams and explain the legitimate basis for the data processing, either via consent or as otherwise required by law.this is also mandatory for all your online endeavors, especially with the proposed European eprivacy Regulation. Information and transparency are key. 2
4. RIGHTS OF THE SUBJECT Along with the Data Stream Map, the rights of the subject will be the most complex and costly part of the General Data Protection Regulation. With the GDPR all European Data Subjects have the following rights: The right to be informed. The right of access. The right to rectification. The right to erasure (right to be forgotten) The right to restrict processing. The right to data portability. The right to object. Rights in relation to automated decision making and profiling. These rights propose a serious challenge for nearly all tools, systems and non-digital (dark) data. It is our experience that due to the many processors, sub-processors and cloud solutions operating altogether that the right to be forgotten is a key feature to implement. The way to get this right is to assess all your data processing parties and partners in your Data Stream Map. Demand from vendors to implement features that enable your organization to quickly stop data processing, correct data, transfer data, grant access and delete data. Without causing crippling delays and additional costs, we experience so often. It might even result in a change of vendor. Your organization simply cannot accept legal risks and liability by non-compliant partners or burden its resources by manually answering all data subject related requests. 5. LEGAL BASIS With the General Data Protection Regulation there must a legal basis for all processing of personal data. There are multiple conditions under which it is a legal obligation or requirement to process personal data. Your Data Stream Map should also mention the legal basis on which the processing is done for every activity. The Regulation notes the following conditions: Contractual necessity Legal obligation Vital interests (life-or-death scenario s. And no, marketing is not vital) Public interest Legitimate interest (such as fraud prevention) Services provided to a client or customer And of course explicit consent given by the data subject. 3
6. CONSENT It can be argued that the entire General Data Protection Regulation is about consent. A freely given, specific, informed and unambiguous indication of the data subjects agreement to the processing of personal data. This is how it protects European citizens and their privacy, and allows you to legally and transparently process their personal data. The General Data Protection Regulation requires data protection by design and data protection by default. Therefore silence, pre-ticked boxes or inactivity do not constitute consent. It has to be the a clear affirmative act of a well informed data subject. Consent should always be based on opt-in and not opt-out. The next best action to comply to the General Data Protection Regulation is to review the ways you ask, receive and register consent. In the end, you should be able to demonstrate that the data subject has given consent. 7. DATA BREACHES Data breaches happen. Mail attachments to the wrong recipients, passwords written on post-its, data sent to the wrong database, lost devices or even hackers gaining access, are unfortunately all too common examples of data breaches. With the General Data Protection Regulation your organization has obligations to be prepared for data breaches and must implement processes to; Find and identify personal data breaches, Notify the authority within 72 hours, Communicate with the data subject in case of a high risk breach. The documentation of these processes, responsibilities and ownership must be in place and demonstrate your organization has everything in place to swiftly and correctly comply with the regulation. Alongside your Data Stream Map we strongly advise a Data Governance Rule Book. This Rulebook is also an insurance necessity. Data breaches are very costly in terms of halted business and resources needed to respond and mitigate. In such cases you ll turn to your cyber insurance but without proper documentation proving you did everything right, insurances simply won t pay out. Which is quite a loss with an average cost for a data breach at around $4 million*. *2016 Costs of Data Breach Study: Global Analysis by IBM and Ponemon. 4
8. PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENTS With the General Data Protection Regulation it s time to get familiar with privacy by design or as the regulation calls it; the principles of data protection by design, by default, and privacy impact assessments (PIA). Privacy Impact Assessments must be done with the implementation of new systems, functionalities or innovations with personal data and profiling. The PIA will indicate the risk level of the data processing and give your organisation the ability to mitigate risk with appropriate measures and consultation with the authorities. Data protection by design constitutes a way of working that requires your organisation when developing, designing, or building their services and solutions, to think of minimising and pseudonymising personal data. Data protection by default requires that all options and settings your organisation offers in services or products have, by default, the strictest privacy protection selected. The data subject can change these settings and provide consent, so opt-in instead of opt-out. Make sure your organisation adopts the principles of data protection and Privacy Impact Assessments by training personel and making it part of your Data Governance Rule Book. 9. DATA PROTECTION OFFICER In some cases it s obligatory to appoint a Data Protection Officer, who will be responsible to uphold the General Data Protection Regulation within the organization and who also acts a representative towards the authorities. Your organization is obligated to appoint a DPO when; It s a public authority or body, or when it processes personal data on a large scale (there s no clear minimum threshold at the moment). 10. INTERNATIONAL When your organization is internationally active you need to determine the leading authority. In most cases this will be the authority of the country where your main establishment resides. Next to multiple authorities you should be aware of the local laws and legislations that might have additional obligations regarding the processing of personal data. 5
11. CONTRACTS It s safe to assume your organisation uses outsourced service providers such as cloud vendors or data experts for data processing. Or in legal terms, processors who carry out processing on behalf of you, the controller. It s advised to review all contracts and data processing agreements your organisation has with it s processors and sub-processors and what amendments are required. The Data Stream Map should provide ample information on all involved processers and sub-processors whose contracts must be reviewed. 12. RULE BOOK Establishing effective data governance to comply with the General Data Protection Regulation is not a one time exercise. All eleven previous steps must a be a continuous part of your data operations and the requirements, processes, responsibilities and ownership should be gathered in a Data Governance Rulebook, containing the: roles and responsibilities for Data governance and compliance to the General Data Protection Regulation. process of documenting all data processing in the Data Stream Map including the legal basis and consent. process of maintaining up to date communication with data subjects. process of executing the rights of the subject. process in case of Data breaches. operational requirements for Privacy by Design. process for execution of Privacy Impact Assessments. responsibilities and mandate of the Data Protection Officer. requirements for existing and new contracts with data processors. Want to know more about about the GDPR and getting compliant? Please contact: JANUS DE VISSER Senior Data Governance Consultant of Adversitement Hogehilweg 19, 1101 CB Amsterdam +31 (0) 20 7600 700 www.adversitement.com 6
APPENDIX 1. DATA LIFE CYCLE Define Generate Capture Transport Transform Store Discover Apply Repurpose Destroy Collect Process Utilize 7